Merge pull request #358 from nextcloud/backport/356/stable32

julien-nc · web-flow · commit 9d61a0b55974 · 2026-01-08T12:08:59.000+01:00
[stable32] Check access permission when requesting rules related with a file
diff --git a/lib/Service/ApprovalService.php b/lib/Service/ApprovalService.php
@@ -78,6 +78,10 @@ public function getBasicUserRules(string $userId, string $role): array {
 	 * @return array
 	 */
 	public function getUserRules(string $userId, string $role = 'requesters', ?int $fileId = null): array {
+		if ($fileId !== null && !$this->utilsService->userHasAccessTo($fileId, $userId)) {
+			throw new \InvalidArgumentException('File not found');
+		}
+
 		$userRules = [];
 		$rules = $this->ruleService->getRules();
 
